diff options
author | Oliver Chang <ochang@chromium.org> | 2015-11-20 09:53:08 -0800 |
---|---|---|
committer | Oliver Chang <ochang@chromium.org> | 2015-11-20 09:53:08 -0800 |
commit | e7950df70a2fd658f466751b29483436cb31e829 (patch) | |
tree | 117ff5fae2f38d9a97f2767a65eac8ed6a492069 /core/src/fxcodec/codec/fx_codec.cpp | |
parent | bd716fcf89f38bb82eb97ae73e9af60c2232328e (diff) | |
download | pdfium-e7950df70a2fd658f466751b29483436cb31e829.tar.xz |
Change |CCodec_ScanlineDecoder::m_Pitch| to FX_DWORD
This matches the type of the corresponding |CFX_DIBSource::m_Pitch|,
where integer overflow is checked for FX_DWORD. This change is
propagated to many other places.
Also, check for integer overflow in |CCodec_RLScanlineDecoder::Create|
during the calculation of |m_Pitch| since it aligns to 4 bytes while
overflow was was previously checked without this alignment.
R=tsepez@chromium.org, thestig@chromium.org
BUG=555784
Review URL: https://codereview.chromium.org/1460033002 .
Diffstat (limited to 'core/src/fxcodec/codec/fx_codec.cpp')
-rw-r--r-- | core/src/fxcodec/codec/fx_codec.cpp | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/core/src/fxcodec/codec/fx_codec.cpp b/core/src/fxcodec/codec/fx_codec.cpp index 51a1f5d55c..ad6fc95c90 100644 --- a/core/src/fxcodec/codec/fx_codec.cpp +++ b/core/src/fxcodec/codec/fx_codec.cpp @@ -25,15 +25,14 @@ CCodec_ModuleMgr::CCodec_ModuleMgr() CCodec_ScanlineDecoder::ImageDataCache::ImageDataCache(int width, int height, - int pitch) - : m_Width(width), m_Height(height), m_Pitch(pitch), m_nCachedLines(0) { -} + FX_DWORD pitch) + : m_Width(width), m_Height(height), m_Pitch(pitch), m_nCachedLines(0) {} CCodec_ScanlineDecoder::ImageDataCache::~ImageDataCache() { } bool CCodec_ScanlineDecoder::ImageDataCache::AllocateCache() { - if (m_Pitch <= 0 || m_Height < 0) + if (m_Pitch == 0 || m_Height < 0) return false; FX_SAFE_SIZE_T size = m_Pitch; @@ -47,7 +46,7 @@ bool CCodec_ScanlineDecoder::ImageDataCache::AllocateCache() { void CCodec_ScanlineDecoder::ImageDataCache::AppendLine(const uint8_t* line) { // If the callers adds more lines than there is room, fail. - if (m_Pitch <= 0 || m_nCachedLines >= m_Height) { + if (m_Pitch == 0 || m_nCachedLines >= m_Height) { NOTREACHED(); return; } @@ -58,7 +57,7 @@ void CCodec_ScanlineDecoder::ImageDataCache::AppendLine(const uint8_t* line) { } const uint8_t* CCodec_ScanlineDecoder::ImageDataCache::GetLine(int line) const { - if (m_Pitch <= 0 || line < 0 || line >= m_nCachedLines) + if (m_Pitch == 0 || line < 0 || line >= m_nCachedLines) return nullptr; size_t offset = m_Pitch; @@ -343,8 +342,19 @@ FX_BOOL CCodec_RLScanlineDecoder::Create(const uint8_t* src_buf, m_bpc = bpc; m_bColorTransformed = FALSE; m_DownScale = 1; - m_Pitch = (width * nComps * bpc + 31) / 32 * 4; - m_dwLineBytes = (width * nComps * bpc + 7) / 8; + // Aligning the pitch to 4 bytes requires an integer overflow check. + FX_SAFE_DWORD pitch = width; + pitch *= nComps; + pitch *= bpc; + pitch += 31; + pitch /= 32; + pitch *= 4; + if (!pitch.IsValid()) { + return FALSE; + } + m_Pitch = pitch.ValueOrDie(); + // Overflow should already have been checked before this is called. + m_dwLineBytes = (static_cast<FX_DWORD>(width) * nComps * bpc + 7) / 8; m_pScanline = FX_Alloc(uint8_t, m_Pitch); return CheckDestSize(); } |